CVE-2026-20125
Published: 25 March 2026
Summary
CVE-2026-20125 is a high-severity Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability in Cisco IOS Software (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the input validation flaw in the Cisco IOS HTTP server via timely patching prevents exploitation by malformed requests causing device reloads.
Requiring validation of user-supplied HTTP inputs directly mitigates the improper validation vulnerability that allows malformed requests to trigger DoS.
Implementing denial-of-service protections limits the impact of malformed HTTP requests that could exhaust resources or cause watchdog timer expiration and reloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln directly enables remote exploitation of public-facing HTTP server (T1190) via malformed input to trigger system reload/crash (T1499.004).
NVD Description
A vulnerability in the HTTP Server feature of Cisco IOS Software and Cisco IOS XE Software Release 3E could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.…
more
This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malformed HTTP requests to an affected device. A successful exploit could allow the attacker to cause a watchdog timer to expire and the device to reload, resulting in a DoS condition. To exploit this vulnerability, the attacker must have a valid user account.
Deeper analysisAI
CVE-2026-20125 is a vulnerability in the HTTP Server feature of Cisco IOS Software and Cisco IOS XE Software Release 3E. The issue arises from improper validation of user-supplied input, which could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial-of-service (DoS) condition. Published on 2026-03-25, the vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-228.
An attacker can exploit this vulnerability by sending malformed HTTP requests to an affected device, provided they possess a valid user account. Successful exploitation triggers a watchdog timer expiration, forcing the device to reload and disrupting network services in a DoS scenario. The low complexity and privileges required (local authenticated access) combined with network accessibility make it feasible for targeted attacks.
Details on mitigation, workarounds, and patches are available in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-dos-sbv8XRpL.
Details
- CWE(s)